Encryption for Implantable Medical Devices Using Modified ...

Received April 23, 2015, accepted May 31, 2015, date of publication June 15, 2015, date of current version June 24, 2015.

Digital Object Identifier 10.1109/ACCESS.2015.2445336

Encryption for Implantable Medical DevicesUsing Modified One-Time PadsGUANGLOU ZHENG1, (Student Member, IEEE), GENGFA FANG1, RAJAN SHANKARAN2,AND MEHMET A. ORGUN2, (Senior Member, IEEE)1Department of Engineering, Macquarie University, Sydney, NSW 2109, Australia2Department of Computing, Macquarie University, Sydney, NSW 2109, Australia

Corresponding author: G. Zheng ([email protected])

ABSTRACT We present an electrocardiogram (ECG)-based data encryption (EDE) scheme for implantablemedical devices (IMDs). IMDs, including pacemakers and cardiac defibrillators, perform therapeutic oreven life-saving functions and store sensitive data; therefore, it is important to prevent adversaries fromhaving access to them. The EDE is designedwith the ability to provide information-theoretically unbreakableencryption where two well-known techniques of classic one-time pads (OTPs) and error correcting codes arecombined to achieve a cryptographic primitive for IMDs. Unlike other ECG-based key agreement schemeswhere ECG features are used to facilitate a key distribution, in the EDE scheme, random binary stringsgenerated from ECG signals are directly used as keys for encryption. OTP keys are generated by the IMD andthe programmer, respectively, before each encryption attempt; thus, the EDE does not require a cryptographicinfrastructure to support a key distribution, storage, revocation, and refreshment. Protected by the EDE,IMDs could not be accessed by adversaries; however, medical personnel can have access to them bymeasuring real-time ECG data in emergencies. Therefore, the EDE design achieves a balance of high securityand high accessibility for the IMD. Our data and security analysis shows that the EDE is a viable schemefor protecting IMDs.

INDEX TERMS Implantable medical devices (IMDs), wireless security, electrocardiogram (ECG), one-timepads (OTPs), error correcting codes.

I. INTRODUCTIONImplantable Medical Devices (IMDs), such as pacemakers,implantable cardiac defibrillators (ICDs), neuro-stimulators,drug delivery systems, perform a variety of health monitoringand therapeutic functions [1]–[7]. Currently wirelesscommunication capabilities have been embedded as anintrinsic part of many modern IMDs. An external device,named a programmer, is used to set parameters to and extractdata from these IMDs wirelessly. The utility of wirelesstechnology, however, also exposes IMDs tomalicious attacks.Halperin et al. [8] and Li et al. [1] have demonstratedthat an adversary, equipped with software radio, directionalantennas, or an off-the-shelf programmer, can easily launchan eavesdropping attack on the unencrypted communicationsessions to harvest patient’s private data. Consequently,security issues have to be addressed to allow for thewide-spread deployment of the next generation IMDs.

Our proposed scheme addresses a pair of conflictingrequirements underlying IMD security: high security and

high accessibility [2], [9]. That is, any device without anyknowledge of a password must not be allowed to haveaccess to or decode information from IMDs. Meanwhile,IMDsmust have an ability to allow unrestricted access by anygenuine first-aid (emergency) medical personnel in the eventof an emergency (e.g. heart attack, seizure) or devicebreakdown (e.g. malfunction, low battery) [9]. Severalprevious schemes have sought to switch IMDs betweensecure and normal modes by using an external deviceto control access to IMDs [3], [10], authentication withbiometrics (iris, fingerprint or electrocar-diogram (ECG))[11], [12], ECG-based secret key sharing schemes [13], [14]and distance-bounding-based access control [15].Notwithstanding these, to the best of our knowledge,no scheme currently exists that can provide a perfectencryption method to protect sensitive and critical IMD datafor patients.

Our security solution is called an ECG-based DataEncryption (EDE) scheme. This is an extension of our

VOLUME 3, 20152169-3536 2015 IEEE. Translations and content mining are permitted for academic research only.

Personal use is also permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

825

G. Zheng et al.: Encryption for IMDs Using Modified OTPs

previous work on the IMD security which focused on theECG-based key distribution between the IMD and theprogrammer [13], [14]. Initially, an IMD and a programmerrecord electrocardiogram (ECG) signals synchronously fromtwo parts of a patient’s body (e.g., the heart and the wrist)and generate two highly matching binary keys from thesetwo signals, respectively. The IMD encrypts its secret datawith one key before transmission; a programmer, afterreceiving the ciphertext, decrypts the secret data usinganother synchronously generated key.

The EDE implements a simple security policy for IMDswhich we call ‘‘touch-decipher’’: a programmer has an abilityto decrypt the ciphertext if and only if it has a significantphysical contact with the patient’s body. This robustnessproperty is decided by properties of generated ECG keys,such as randomness, temporal variance and distinctivenessamong individuals. The decryption capability would bedisabled once the programmer loses physical contact withthe patient. This touch-decipher policy balances theconflicting requirements of security and accessibility.Emergency medical responders can gain access to the IMDby making a physical contact with the patient’s body whileadversary’s access is to be prevented without access toreal-time ECG data.

We design an information-theoretically secure encryptionmethod for IMDs. IMDs normally perform therapeutic oreven life-saving functions for patients; attacks to IMDs couldcause fatal consequences. That is why IMDs have to berigorously protected from adversaries. Considering thatOne-Time Pads (OTPs), as proven by Shannon [16], areinformation-theoretically secure, the EDE scheme usingmodified OTPs can rigorously protect IMDs from adversariesdeciphering messages.

The EDE scheme is based on physiological signal-basedOTPs which uses binary strings generated from ECG as keysfor direct encryption. OTPs were widely used for covertcommunications by intelligence agencies during the WorldWar II and the Cold War. Recently the OTP concept wasapplied in quantum [17] and optical scattering [18] basedcryptography. Recent research on ECG-based key agreement,proposed in [19]–[22], establishes a symmetric random keybetween two sensors where ECG signals are used to concealthe key in distribution. Unlike these schemes, security keys inour scheme are generated from ECG signals and are used toencrypt secret data directly. Compared to traditionalsymmetric key-based encryption systems, the EDE has thefollowing advantages:• The EDE scheme combines two well-known techniquesof classic One-Time Pads and Error Correcting Codes toachieve a cryptographic primitive for IMDs. It inheritsthe property of perfect secrecy from OTPs, and even hasan ability to resist brute-force attacks.

• The EDE scheme does not require a cryptographicinfrastructure to support key pre-distribution, storage,revocation and refreshment. This is because OTP keysare generated from ECG signals by each sensor

dynamically before each round of encryption. TheEDE scheme does not need to protect random seedseither since ECG is used as a natural random source togenerate keys.

The rest of this paper is organized as follows. In Section II,we review threat models of the IMD system and theECG signal model; in Section III, we propose anarchitecture within which the EDE scheme can beimplemented. Section IV is devoted to algorithms of theEDE scheme, including Error Correcting Codes,modified OTPs, ECG signal processing and communica-tion protocols, while Section V presents a comprehensiveevaluation of the scheme on aspects of OTP key features,FAR/FRR performance and overhead. We analyze thesecurity of the scheme in Section VI and review the relatedwork in Section VII. The final section provides a summary ofour contributions.

II. SYSTEM MODELLINGIn this section, adversarial and operational models, as wellas ECG signal models are presented before detailing theEDE scheme.

A. THREAT MODELLING AND ASSUMPTIONSProper threat modelling is a vital aspect of securitydesign [23]. IMDs communicate with an external devicecalled a programmer infrequently. A wireless session withthe IMD is initiated by the programmer during which theprivate data in the IMD are shared with or the parameters ofthe IMD are modified by the programmer. According to theU.S. Federal Communications Commission (FCC)requirement, the IMD normally does not initiate asession [24].

The analysis presented in [23] discusses two main classesof adversaries:

1) PASSIVE EAVESDROPPERSA passive eavesdropper listens to an IMD’s wirelesstransmissions and tries to capture and decode transmitteddata with off-the-shelf or custom-built radio equipment.It does not interfere with the IMD’s communications. Somerecent studies have demonstrated that this kind of attackcould compromise privacy and confidentiality of patient’sdata [1], [8].

2) ACTIVE ADVERSARIESAn active adversary extends the eavesdropper’s capabilitiesand has the ability to replay recorded control commands,or generate new radio commands, to an IMD, aiming attriggering data transmission from the IMD or modifying theIMD’s settings. Halperin et al. [8] demonstrated that an activeattacker could control IMDs by replaying messages whichmay even cause fatal heart attacks to patients whileLi et al. [1] showed that the insulin pump could also becontrolled by this kind of adversaries.

We assume that the adversaries cannot measure real-timeECG signals from a patient; however, they could use

826 VOLUME 3, 2015


FIGURE 1. A depiction of two simultaneously sampled ECG signals fromtwo parts of the same patient’s body. It shows three major waves withinone ECG trace: P wave, QRS complex and T wave. The Inter-Pulse-Interval (IPI) is defined as the time interval of two consecutive R peaks.

historical ECG from the patient to attack this security scheme.As measuring ECG signals requires a physical contact withthe patient’s body, the attack would be detected by the patientimmediately; moreover, physical attacks could be launchedon the patient’s body if an adversary has the ability to makea physical contact with the patient. We also assume thatmedical personnel are trustworthy and hospitals provide asafe environment. This is reasonable as governmentregulatory agencies will oversee the conduct of doctors inhospital settings.

B. ECG MODELLINGWe extract random keys from ECG signals for encryption.An example of consecutive ECG signals is shown in Fig. 1.One ECG trace includes three major waves: P wave,QRS complex and T wave [25]. The P wave represents thedepolarization impulse of the atria; QRS complex representsthe ventricular depolarization while the T wave represents theventricles repolarization. As the R-peak is themost prominentfeature of the ECG waveform, it can be used to representa heartbeat; two consecutive R peaks, shown in Fig. 1, isthe heartbeat duration and referred to as the Inter-Pulse-Interval (IPI). Suppose tR(i) is the timing of the ith R peak,then IPIi = tR(i)− tR(i−1). RandomOTP keys can be extractedfrom IPIs because of their well-studied chaotic nature [26].As the ECG waveform has long-term trends and short-termchaotic variations, the keys are generated from residualsignals which are formed by eliminating the long-term trendsin the ECG waveform.

In the EDE, OTP keys are generated from synchronouslysampled ECG signals in the IMD and the programmerrespectively. Fig. 1 also shows an example of twosynchronously measured ECG signals. These two signals arefrom the same signal source, that is, heartbeats, so, they havea major part in common; a minor difference between themis caused by measurement errors from instruments and otherfactors. If we denote a binary string generated from the IMDas an OTP key, kai, and that from the programmer as kbi,a mismatch between kai and kbi could be regarded as bit errorsof the key.

III. EDE SCHEME ARCHITECTUREThe EDE scheme includes two components: an IMD and anexternal programmer. The IMD is an electronic device which

FIGURE 2. Secure communications with the EDE scheme. The IMD andthe programmer measure ECG signals from the heart and the wristsimultaneously on the same patient; before sending the secret data tothe programmer, the data is encrypted with ECG signals in the IMD.

is implanted in the body to assist and/or monitor a patient’shealth, while the programmer is an outside device which hasthe ability to access data in the IMD and program it wirelessly.Both of them are currently standard medical devices andmostIMDs have the capability of measuring ECG signals [10].In our scheme, an ECG sensor is connected to theprogrammer and measures ECG signals from, for example,the wrist of the patient, as shown in Fig. 2. It is convenient toadd an ECG measuring function into the programmer since itis an outside device and is normally kept in a hospital.

The scheme is depicted in Fig. 2. It can be seen that theIMD and the programmer measure ECG synchronously andrandom binary key sets, KA = {kai} and KB = {kbi}, are thengenerated by each device respectively. KA is used to encryptsecret data with modified OTPs in the IMD while KB is usedto decrypt the ciphertext. Since there is a mismatch betweenKA and KB which could be regarded as the bit errors of thekeys, error correcting codes (ECC) are employed to correctthese errors within the decrypted message.

One key feature of the EDE is that the keys areindependently generated by each device. The EDE does notrequire key distribution or transmission from one sensorto another. Key refreshment can be easily achieved bygenerating keys at two sensors directly. Also there is no needof key storage and revocation, since a fresh pair of keys,kai and kbi, will be generated before each new encryptioncycle and will not be re-used according to OTP rules.

Another key feature is that the EDE scheme inherits theproperty of perfect secrecy from OTPs, and can provideinformation-theoretically secure encryption for IMDs.As IMDs normally perform therapeutic or life-savingfunctions, this feature is critical to IMD security. Inherentcharacteristics of ECG bit strings of randomness, temporalvariance and distinctiveness ensure that OPT keys cannot beprobed, duplicated or speculated without a physical contactwith the patient’s body.

IV. ECG-BASED DATA ENCRYPTION SCHEMEOne-Time Pads (OTPs), although acknowledged asmathematically unbreakable, have limited applications in

VOLUME 3, 2015 827


the modern computing era [17], [18]. This is because theOTPs require the storage of a large number of random keysand guarantee that no keys are re-used. The EDE schemeapplies a practical and secure approximation of OTPs forthe IMD system where the OTP keys are generated by thesender and the receiver respectively and synchronously. Thissection presents the EDE scheme in detail. We first designa modified OTP algorithm for IMD encryption and thenpropose a protocol which executes the EDE scheme with thisalgorithm.

A. LINEAR ERROR-CORRECTING CODESWe design a system with a secret s in the secret space S,an encryption algorithm FEnc and its correspondingdecryption pair FDec. Considering the mismatch betweenKA and KB, our designed EDE algorithm has to satisfy thefollowing:Definition 1: An encryption/decryption pair (FEnc,FDec)

with parameters (S,KA,KB) is complete with ε−errortolerance when the following condition holds. For each si ∈ Sand each key pair (kai, kbi) of (KA,KB) where |kai − kbi| ≤ ε,the decryption process FDec(kbi,FEnc(si, kai)) = si is with anoverwhelming probability.

This requires that the EDE scheme has the capability tocorrect errors caused by the key pair mismatchbetween (kai, kbi). Here the overwhelming probability isthat it is larger than 1 − ε for certain negligible value ε.Borrowing design ideas from the area of fuzzy vault [27],fuzzy commitment [28] and fuzzy extractor [29], an ErrorCorrecting Code (ECC) is introduced into the schemewithoutimpacting protocol security.

We denote a binary linear ECC (ne, ke, te) with errorcorrecting capability te, where ne is the length of the code-word Ce and ke the message length. The ECC encodingfunction, encoderECC(.), maps the message s ∈ {0, 1}ke intoits codeword se ∈ {0, 1}ne . According to the ECC linearproperty an XOR operation of any two codewords leads toanother codeword within the same codeword set. Here we usethe Hamming distance to measure the distance of codewords,denoted by dH {., .} and the Hamming weight is denotedby ‖.‖. For an ECC with error correcting capability te, theminimum distance of codewords is dH = 2te + 1.

Given an ECC encoded message se ∈ {0, 1}ne , theminimum distance to any codeword ce ∈ Ce is defined asdmin(se, ce) = mince∈CedH (se, ce). If dmin(se, ce) ≤ te theECC decoding function, decoderECC(.), returns the messagecorresponding to the closest codeword within Ce. Otherwise,this encoded message is not decodable. A classic class ofcyclic ECC called BCH codes is chosen in our design. Theprincipal advantage of BCH codes is that they can be decodedwith a small and low-powered electronic hardware [30], suchas the wireless sensor nodes.

B. MODIFIED ONE-TIME PAD ALGORITHMFor classical OTPs working over a secret si in the secretspace S, a corresponding key ki in the key space K ,

the resulted cryptogram ci in the cryptogram space C isdenoted by ci = f (si, ki) = si ⊕ ki, where f is a functionwith a unique inverse f −1 and ⊕ is an XOR operationwhich mixes each bit of si with each bit of ki. Thereafter,ci is to be sent through a public channel. At the receivingend, the same OTP key ki is applied to decrypt the secretsi by si = f −1(ci, ki) = ci ⊕ ki. For a series of secretmessages S = {s1, s2, · · · }, the corresponding cryptogramis denoted by Mc = F(S) = { f (s1, k1), f (s2, k2), · · · }while its decryption process is denoted by S = F−1(Mc) ={ f −1(c1, k1), f −1(c2, k2), · · · }. Here F denotes the imple-mentation of f on each element of S while F−1 is its inversef −1 on each element of Mc. OTPs become unbreakable onlywhen the used keys are kept secret, truly random, neverre-used in whole or part and the same length as themessage.

Because of the uncertainty of physiological (ECG) signals,the requirement in Definition 1 has to be satisfied. Thus,the classical OTPs are modified as follows: (a) Encryptionprocess FEnc. A series of secrets S are mapped toECC codewords Se by Se = encoderECC(S) at the beginningwhere redundant information is added to correct errors causedby key bit mismatches. Then OTP operations are performedon Se to encrypt the secrets by Mc = FEnc(S,KA) =F(Se,KA). (b) Decryption process FDec. The cryptogramMc is decrypted by KB by S ′e = F−1(Mc,KB). S ′e is slightlydifferent from Se due to bit errors between KA and KB.In order to correct these error bits, ECC decoding process isperformed by S ′ = decoderECC(S ′e) where S

′ is the outputof the modified OTPs. In order to ensure that S ′ equals S,the hash value of S, hash(S), is sent to the receiver alongwith the cryptogram Mc. Hence the receiver computes thehash value hash(S ′) with the same hash function as the senderand compares it with the received hash(S). The modifiedOTP scheme succeeds if they are equal; otherwise it failsand the output S ′ is discarded. Within this modifiedOTP scheme, the length of the key has to be as long as theECC codeword, not the secret, since the ECC codeword isXORed with the key.Lemma 1: For ∀kbi ∈ KB, the decryption process

FDec succeeds when the number of key bit errors is lessthan or equal to ECC error correction capability, denoted by|kai − kbi| ≤ te. The largest error tolerance ε of the schemeequals the ECC error correction capability te.

Proof: In the ith OTP encryption, the cryptogrammci = FEnc(si, kai) = sei ⊕ kai, where sei = encoderECC(si)is the ECC encoding output. In the decryption process,s′ei = f −1(mci, kbi) = mci⊕kbi = (sei⊕kai)⊕kbi. The outputs′ei is different from sei due the mismatch between kai and k ′bi.According to the condition of the Lemma 1 |kai − kbi| ≤ te,we can obtain |sei − s′ei| ≤ te. Hence the ECC has thecapability to correct bit errors within s′e and generate thesecret si by the ECC decoding function decoderECC(.).The ECC can only correct up to te error bits, thus the largesterror tolerance ε is decided by the ECC error correctioncapability te. �

828 VOLUME 3, 2015


FIGURE 3. The One-Time Pad (OTP) protocol. (a) The theoretically perfectOTP mixes a piece of secret data si with a random key ki to generate aciphertext ci . (b) In the EDE, the OTP keys are generated from ECG andError Correcting Codes (ECC) are employed in order to correct errorscaused by key error bits.

Fig. 3 depicts a comparison of the classical OTPs andthe EDE scheme within which the technique of OTPs iscombined with the ECC to fulfill the transmission of thesecret si. In classical OTPs, key pre-distribution is criticalbut involves high risk. The same copy of a key set has to bedistributed securely to the sender as well as the receiver forsuccessful decryption. However, the EDE scheme generateskeys by extracting binary strings from ECG signals directly,as shown in Fig. 3 part (b). The sender (IMD) and the receiver(programmer) generate binary strings, kai and kbi, fromsimultaneously measured ECG signal; thus the EDE schemedoes not require key pre-deployment or transmission.

C. OTP KEY GENERATIONThe fundamental and critical part of the EDE scheme is togenerate pairs of ECG Binary Strings (BSs) (kai and kbi)synchronously satisfying two basic requirements:randomness and lowmismatch rate. ECG IPIs computed fromthe same ECG signal measured at different parts of the bodyby two sensors are not completely identical. Bao et al. [31]propose an ECG BS algorithm in which whole IPI valuesare used in quantization; but later research [12] shows thatusing all the bits of each IPI would reduce the entropy ofgenerated BSs. We propose an improved ECG BS generationalgorithm based on the scheme of Bao et al. [31]. Thealgorithm is described in four steps.Step 1 [Simple Moving Average (SMA)]: The SMA is an

un-weighted mean of a series of different subsets in the wholedata sequence. For this system, the SMA of m consecutiveIPIs is given by

SMA1 =1w(w∑j=1

IPIj)

SMAi = SMAi−1 + 1w (IPIi+w−1 − IPIi−1)

i = 2, 3, . . . ,m− w+ 1

(1)

where w is the window size. It could be seen that theSMA process keeps the randomness of the current IPI valuewhile it smoothes out the difference ∇IPIi via a cumulative-sum method.

Step 2 (Gray Coding): Here we use Gray Code, notcommon binary code, to quantize IPIs. The most importantfeature of Gray Code is that there is only one bit differencebetween two successive values.Step 3 (LSB Removal): We observed that the Least

Significant Bit (LSB) of SMA processed IPIs was normallydifferent. In order to reduce the mismatch rate, the LSB is notused in our scheme.Step 4 (Parity Check): Bits from two consecutive

SMA-processed IPIs at both sides are extracted to forman 8-bit block. Then both sides calculate the parity of theirown block and exchange the parity information. If the parityis the same, each side extracts 7 bits of the block and discardsthe last bit as the parity check leaks one bit of information.This process moves ahead until there are 127 bits oneach side.

In order to improve the matching performance, theSMA process is used here to smooth out short-termfluctuations of IPIs at two sensors. This process would,to some extent, reduce the entropy of generated BSs; however,there is a trade-off between the requirements of randomnessand low mismatch rate. In practice, a proper selection ofthe SMA window size can achieve the balance betweenrandomness and matching performance.

D. COMMUNICATION PROTOCOL DESIGNAfter a programmer initiates a communication session withan IMD, a protocol implementing the EDE scheme isdescribed as follows.

1) ECG BINARY STRING GENERATIONThe programmer sends a synchronization request to theIMD for sampling ECG which indicates the samplingstart-time Tstart with a timestamp in the frame. Since therewould be a timing difference between two clocks residing inthe IMD and the programmer, these two clocks issynchronized by following the IEEE 1588 standard [32].In the EDE scheme, the programmer is selected as amaster while the IMD is a slave. In the synchronizationframe, the programmer indicates its current time Tcurrent andsends Tcurrent to the IMD. Since the IMD is very close tothe programmer (less than 1m), the transmission time ofthis frame is negligible. Therefore, the IMD uses Tcurrent tocorrect its clock. After the clock synchronization, theIMD and the programmer sample ECG signals synchronouslyat the time Tstart . Two highly matched and randomECG binary strings, kai and kbi, are then generated by theIMD and the programmer respectively, using the aforemen-tioned algorithm. We do not require key pre-distribution ortransmission here as keys will be generated by each deviceindependently.

2) PROCESS IN THE IMDAfter generating kai, the process executed in the IMD isshown in Algorithm 1. Firstly the secret si is encoded by anECC encoding process, encoderECC(.), to create sei in which

VOLUME 3, 2015 829


Algorithm 1 Process in the IMDInput: the secret si and the key kaiOutput: a message, msg, sent to the public channel1: sei = encoderECC(si)2: ci = sei ⊕ kai3: hash = h(idimd |nonce|ci|si)4: msg = (idimd , idpro, nonce, ci, hash)5: startSession(msg)

redundant information is added for error correction purposes.Then the cryptogram ci is created by an XOR operation.A hash value is computed by a one way hash function h(.)in order to check message integrity and the correctness ofdecoded s′i at the programmer. A fresh random numbergenerated by a counter, nonce, is used as a session identifierto prevent potential replay attacks. A message, msg, includesidimd and idpro, identity numbers of the IMD and theprogrammer respectively. The message along with the hashvalue is then sent to the programmer through a public channel.

3) PROCESS IN THE PROGRAMMERAfter receiving the message, msg, the process in theprogrammer is shown in Algorithm 2. Considering potentialchannel interference (accidentally or deliberately), themessage received is denoted bymsg′. With generated key kbi,the process is as follows. (a) The programmer decrypts c′iby an XOR operation with kbi, resulting s′ei which could bedifferent from sei due to the mismatch between kai and kbiand/or wireless channel noise. (b) An ECC decodingprocess, decoderECC(.), is then performed to correct errorbits between s′ei and sei, resulting in s

′i. (c) hashpro is computed

with the same hash function as that in the IMD and comparedwith the received hash′ so as to check both the integrity ofreceived msg′ and the correctness of decoded s′i. If hashproequals hash′, the receivedmsg is not modified in transmissionand the obtained s′i is the same as the secret si; a ‘success’code is then assigned to the acknowledgement ack; otherwiseack is assigned a ‘failure’ code. The programmer finallysends ack to the IMD to confirm the decryption results.

Similarly, the encryption protocol for messages from theprogrammer to the IMD can be done as follows: the program-mer initiates and synchronizes the communication sessionwith the IMD at the beginning, which generates two randomECG BSs respectively. After that, the programmer followsthe similar process as in Algorithm 1 to encrypt the messagewhile the IMD performs decryption with the similar processas in Algorithm 2. The ack message is sent back in eachcommunication session to inform the programmer of thedecryption result of each message.

V. SCHEME EVALUATIONIn this section, we provide an evaluation of the EDE schemeby performing a series of experiments. Lacking the ability toobtain IPI measurements from IMDs in the lab, we follow

Algorithm 2 Process in the ProgrammerInput: the key kbi and msg′ received from the publicchannelOutput: the decrypted s′i and acknowledgement ack1: msg′ = (id ′imd , idpro, nonce

′, c′i, hash′)

2: s′ei = c′i ⊕ kbi3: s′i = decoderECC(s′ei)4: hashpro = h(id ′imd |nonce

′|c′i|s′i)

5: if hashpro = hash′ then6: s′i = si7: ack ← success8: else9: ack ← failure10: else if11: Send ack to the IMD

a similar analysis as in [19]–[22] and generate OTP keysby using the ECG data from the MIT PhysioBank database(http://www.physionet.org/physiobank). Experiments werecarried out on the ECG data from 167 subjects: 18 subjects(128Hz, 5 men and 13 women) from the MIT-BIH NormalSinus Rhythm (NSRDB) [33], 79 subjects (250Hz, 466Mbit)from European ST-T (EDB) [34], 47 subjects (360Hz,107Mbit) from MIT-BIH Arrhythmia (MITDB) [33] and23 subjects (250Hz, 607Mbit) from MIT-BIH Atrial Fib-rillation (AFDB) [33]. Considering potential applicationsto pacemakers or ICDs, the last two databases (MITDB andAFDB) contain arrhythmia ECG signals.

FIGURE 4. The histogram of consecutive IPI values sampled at 125Hzwith a normal distribution fit (µ = 955ms, σ2 = (106.5ms)2).

A. OTP KEY RANDOMNESS ANALYSISRandomness is a vital requirement of using generatedECG binary strings, that is, OTP keys, for security purposes.The EDE scheme relies upon generated ECG BSs followingwhat Shannon defines a purely random process [16]. Our firstexperiment was to analyze the randomness of capturedECG IPI values. We collected 15, 000 consecutive IPI valuesand plotted histograms in Fig. 4 which shows that thefluctuation of IPI values fits into a normal distribution.Thus the distribution of consecutive IPIs is almost normal,which indicates the randomness of ECG IPI values.

830 VOLUME 3, 2015


FIGURE 5. The calculated entropy of generated ECG binary strings. Theentropy values of most ECG bit strings are close to 1, with the meanentropy of 0.992.

This normal distribution is fundamental to generate randomBSs from IPI values.

We then calculate the entropy to measure the uncertaintyof generated ECG BSs. For a random variable χ = 0, 1,we can calculate the entropy of each bit sequence using theformula: H (χ ) = −p0log2p0−p1log2p1 where p0 and p1 arethe probability mass functions of 0s and 1s respectively. Thelargest entropy is 1 when it follows a uniform distribution.The entropy result of bit strings generated from about100 ECG samples is shown in Fig. 5. It can be seen that theentropy values of most ECG bit strings were close to 1, withthemean entropy of 0.992. Furthermore, a two-tailed runs testwas also performed during the experiment, which showed thatmore than 95% of ECG bit strings passed the two-tail runstest with a significance level of 5%. Therefore, the generatedECG bit strings have a good performance of randomness.

In order to comprehensively analyze the randomness ofgenerated ECG BSs, we performed an experiment withthe National Institute of Standards and Technology (NIST)randomness test suite [35]. The quality of randomness ofECG binary strings was statistically evaluated by employingthe state-of-the-art NIST test suite [35] which is used fortesting random and pseudo-random number generators forcryptography. The outputs are p-values which indicate theprobability that the generated BSs are random or not. If thep-value is less than a threshold (normally 1%), the hypothesisthat a binary string is random is then rejected.

We used in the test an aggregate of databases of 18 subjectsfrom the NSRDB [33], 79 subjects from EDB [34],47 subjects from MITDB [33] and 23 subjects fromAFDB [33], with test results shown in TABLE 1. Tests whichproduce multiple p-values are represented by a (+) andfollowed by the number of different generated valuesin parenthesis. The table displays their mean values.TABLE I shows that all p-values are greater than 1% (pass).Consequently, the generated ECGBSs are random and can beused in practical OTPs.

B. OTP KEY TEMPORAL VARIANCEWe evaluated generated ECG binary strings for temporalvariance to ensure that the encrypted secret cannot be

TABLE 1. NIST statistical tests for generated BSs.

decrypted by the same subject’s historical or futureECG signals. In the experiment, we sampled ECG signalson each subject from the MIT-BIH NSRDB over300 random start-times and computed the average Hammingdistance between kai and kbi. Fig. 6 shows an experimentresult from one subject. The x-axis represents kai of allsamples while y-axis represents kbi. Colors represent therange within which the actual Hamming distance falls. Thehigher values are in red while the lower values are in blue.

FIGURE 6. Hamming distance between two ECG binary strings generatedfrom two different body parts of the same subject. It shows that theHamming distance values of two BSs generated at different start-timesare quite large ( 49.72% on average) while those of BSs generated at thesame time (the diagonal values) are really small (less than 10%).

We can see from Fig. 6 that the Hamming distance valuesbetween kai and kbi generated at two different start-timesare quite high, with the average distance of about 49.72%(about 63 bits). This bit error rate was much higher than theerror correcting capability of BCH codes; thus the encryptedsecret could not be decrypted by ECG signals measured at adifferent start-time of the same subject.Meanwhile, obtainingcorrect ECG binary strings via brute-force attack was alsoimpossible in a realistic setting. This is because the adversaryhas no knowledge as to which of the 127 bits are different;obtaining the correct ECG bit string via brute-force would

require(12763

)attempts which are nearly identical to brute-

forcing a 127-bit long secret.We also can see from Fig. 6 that all the diagonal values are

very small (less than 10%), which means that the Hammingdistance between kai and kbi generated at the same start-time

VOLUME 3, 2015 831


are quite low; therefore, the error bits in the decrypted secretcould be corrected by proper ECC.

C. OTP KEY DISTINCTIVENESSThe property of distinctiveness is to ensure that the secretencrypted by an IMD implanted in one subject cannot bedecrypted by another programmer using ECG signals fromanother subject (either accidentally or maliciously). This candistinguish IMD systems on different subjects. In theexperiment, we sampled ECG signals on each subject fromthe MIT-BIH NSRDB over 300 random start-times andcomputed the average Hamming distance betweentwo ECG binary strings from different subjects. The averagedistance was 49.99% (about 63 bits) which is similar tothat for temporal variance above. This result shows that thesecret encrypted by an IMD using ECG signals from onesubject cannot be decrypted by another programmer usinganother subject’s ECG signals. This can prevent attackersfrom decrypting secrets using a different subject’s ECG data.

D. FAR/FRR ANALYSISFalse Rejection Rate (FRR) and False AcceptanceRate (FAR) are two critical parameters to be taken intoconsideration when evaluating any biometric-based securityschemes. In our experiment, FRR is the measure of the likeli-hood that a programmer fails to decrypt a secret from an IMDby using simultaneously measured ECG signals from thesame subject, while FAR is the measure of the likelihood thata programmer could decrypt a secret from an IMD by usingthe same subject’s historical or future ECG data or data fromanother subject. Considering that error correction codes areemployed, FRR and FAR will vary according to BCH codes’error correction capability. Fig. 7 shows experiment resultsof FRR and FAR on each ECG database with BCH codelength n = 127.

FIGURE 7. FRR and FAR vary versus BCH codes error correction capability.The results of FAR tests on all ECG databases are zero while the FRR testresults decline dramatically when the error correction capability tincreases, ending at around 5%.

We observe from Fig. 7 that results of FAR tests on allECG databases are zero, which means the encrypted secretcould not be decrypted by either the same subject’s historicalor future ECG data or ECG measured from other subjects.

These results are consistent with the analysis of temporalvariance and distinctiveness. We also see from Fig. 7 thatFRR declines dramatically when the error correctioncapability, t , increases, ending at around 5%. We notethat the performance on databases of sinus rhythm ECG(NSRDB and EDB) is better than that on arrhythmiadatabases (MITDB and AFDB). However, this scheme couldbe applied for arrhythmia patients as long as QRS peaks ofECG signals can be measured correctly. Generally, from ourobservation of experiments, the more accurate the ECG IPIsmeasured the better the FRR performance.

E. OVERHEAD ANALYSISCommunication overhead is negligible in the EDE as theciphertext sent into the channel is of the same length asthe codeword of BCH codes. Adding a large number ofchaff points to hide the data [19], [21] is not needed hereas the secret data is already encrypted. The main concernof computation overhead is about the processes within theIMD since it is battery powered and implanted in the body.The programmer, as an external device in the hospital orclinics, could be easily designed with hardware capable ofsupporting intensive computational overheads. So, we focuson overhead analysis on the IMD.

In the IMD, processes include ECG binary stringgeneration, BCH encoding, hash function and encryption.The encoding process of cyclic BCH codes could be quicklyprocessed by linear feedback shift registers (LFSR).As presented in [10], SHA-1 hash process is around 4ms onthe platform of TelosB with TinyOS 2.1. The encryption pro-cess is a simple XOR operation. As discussed in [10] and [31]ECG detection and IPI calculations could be assumed as basicfunctions for IMDs (e.g., pacemakers).

In the ECG BS generation algorithm, SMA values ofm consecutive IPIs are calculated first; since the windowsize w is a constant, its order of the computational com-plexity is O(m). For Gray coding, if a binary SMAiis (bq−1, bq−2, · · · , b0)2, the corresponding Gray code(gq−1, gq−2, · · · , g0)2 is calculated by,{

gq−1 = bq−1gi = bi+1 ⊕ bi, i = 0, 1, · · · , q− 2.

(2)

It could be seen that Gray coding needs (q − 1) bitwiseaddition operations for each SMAi. Compared to an addi-tion operation, the bitwise operation is slightly faster; thusits complexity can be assumed as a fraction of an addi-tion, denoted by γ (0<γ < 1). Thus the total number ofbitwise addition operations for Gray coding is O(γ (q − 1)(m − w + 1)) = O(m). The complexity of LSB removalcould be easily completed by reading bits except the LSB.Therefore, the order of the computational complexity of theBS generation algorithm is O(m), which shows that it onlyadds a little complexity to the IMD.

The energy overhead due to communications is anotherimportant requirement when designing the EDE scheme.

832 VOLUME 3, 2015


As discussed in [36], for a CrossBowMICA2DOTmote usinga Chipcon CC1000 radio, receiving and transmittingone byte message consume 28.6µJ and 59.2µJ , respectively.For the IMD transmitting and receiving an N -byte message,the energy consumption is 59.2NµJ and 28.6NµJ ,respectively. Compared with the fuzzy vault-basedscheme [19], [21], our EDE scheme does not require anychaff points added into the message; therefore, the energyconsumption is much lower than the fuzzy vault-basedscheme.

VI. SECURITY ANALYSISThe security of OTPs relies predominantly on their keymanagement; the EDE communication protocols supportingOTPs also play a key role in their security. This sectiondiscusses how the EDE scheme obeys rules of keymanagement in OTPs, the property of perfect secrecy and theprotocol security.

A. REQUIREMENTS OF OTP KEYSAccording to Shannon’s analysis [16], the protocol of OTPsis information-theoretically unbreakable only if properlyapplied. The rules for OTP keys are that: (a) the key is as longas the secret message; (b) the key is truly random; (c) each keyis used only once and (d) the key is destroyed immediatelyafter use. Requirements of (a) and (b) have been achievedbased on previous analysis; the EDE scheme will dispose ofeach key after use which is in line with the requirement (d).

Requirement (c) is to make sure that each key will not bere-used. Traditional OTPs use a small note pad to print a largeset of randomkeys, and use a new key in each operation. In thecomputing era, this rule requires the storage of a large numberof random keys, checking whether a key is used or not before,e.g. OTPs applied in quantum [17] or optical scattering [18]based cryptography. However, this is not practical in theIMD system because of normally scarce resources, such aslimited memory, as the IMD is implanted in the patient’sbody. Thus we do not require the IMD to save all keys forverification purposes.

The randomness of generated ECG binary stringsguarantees that the use of same keys would hardly happen.Considering the error correction capability of the ECC,e.g. BCHcode(n,m, t), two BSs with Hamming distance tcould be regarded as the same key as they have the abilityto decrypt each other’s ciphertext. The OTP key length isequal to the code length n. As bits in the key are purelyrandom according to NIST tests, the probability of a similarkey being generated as before can be modeled as an(n− t)-fold Bernoulli trial with probability p = 0.5, denotedby B(n, p). So, the success probability of generating the sameor similar key can be calculated by,f (k; n, p) =

(nk

)pk (1− p)n−k

k = n− t

(3)

For a BCH code(127,64,10) the success probability is1.23 × 10−24, which is negligible and could be assumed aszero in a practical test. Therefore we can assure that keys inthe EDE scheme will not be re-used. So, adversaries cannotobtain any sensitive information to attack the scheme usingstatistical analysis or pattern matching. Consequently, all therequirements of OTP keys are fulfilled in the EDE.

B. SCHEME SECURITY1) PERFECT SECRECYThe EDE scheme inherits the property of perfect secrecyfrom OTPs. For a secret message s with a prioriprobability P(s), a posteriori probability, P(s|c), of thesecret if cryptogram c is intercepted can be denoted byBayes’s theorem as,

P(s|c) =P(s)P(c|s)P(c)

(4)

in which P(c) is the probability of obtaining cryptogram c,and P(c|s) is the conditional probability of cwhen the secret sis chosen. According to definition by Shannon [16], perfectsecrecy is that a posteriori probability is equal to a prioriprobability independently of all values. So, intercepting thecryptogram gives no information to adversaries. In thisscheme, it is required that P(s|c) = P(s). As P(s) 6= 0,it is also required that P(c|s) = P(c). In the EDE scheme,one OTP key is used for one encryption only and the keysare purely random by the NIST test. Furthermore, althoughthe ECC is employed in the scheme, the analysis usingEq. 4 shows the probability of generating two close keyswith the number of error bits within the ECC error correctingcapability t is negligible; thus the probability of c given thesecret s is equal to the probability of obtaining c in any case,which means P(c|s) = P(c). In the EDE protocol design,a one way hash function is used to check message integrityand correctness of decrypted message, and the digests(hash values) could be intercepted by adversaries in the publicchannel. However, since the adversary could barely invert thedigest to obtain the message, this intercepted digest wouldnot compromise the message secrecy as long as the lengthof the digest is no less than the message length, such aschoosing SHA-1 for a 128-bit message. The preimage attackis hard to launch here considering the length of the digestand the length of inputs of the hash function, includingidimd , nonce, ci, si. Therefore the EDE scheme has theproperty of perfect secrecy.

In contrast to conventional symmetric encryption,perfect secrecymakes the scheme immune even to brute-forceattacks. For secret messages {s1, s2, s3, · · · }, the encryptedmessages are Mc = { f (s1, ka1), f (s2, ka2), f (s3, ka3), · · · }.As keys are purely random, guessing a secret in Mc (e.g. s1)requires trying all possible keys. Even if the adversaryobtains s1 and ka1, it cannot gain any information aboutthe key needed to decrypt other secrets in Mc due to keyrandomness.

VOLUME 3, 2015 833


TABLE 2. A comparison of recently proposed security schemes for IMDs.

2) PROTOCOL SECURITYThe EDE scheme has the ability to protect IMDs fromeavesdropping. The active adversaries which aim at obtainingdata from IMDs can also be prevented due to data encryption.Compared to traditional OTPs, our proposed scheme hasadditional features as highlighted below. (a) This schemeprovides hash values to verify message integrity andthe correctness of decrypted secrets. Any modification ofthe message would be detected by the programmer as themodified message cannot verify the hash value. (b) Thedevice ID, IDpro, indicates which device the IMD intendsto communicate with; the nonce maintains freshness of eachsession, and prevents potential replay attacks.

VII. RELATED WORKHalperin et al. [2] first discussed that designing anIMD security scheme without compromising patient healthmust balance security and privacy goals with traditional goalssuch as safety and utility, allowing the IMD to be madeaccessible by medical personnel in emergencies. In order toachieve this balance, several schemes have been proposed,as listed in TABLE 2. Supporting access to IMDs under anemergency scenario is a necessary requirement for theIMD security.

The first two listed schemes in TABLE 2 designcontrol access to the IMD using different techniques:ultrasonic distance bounding-based [15] and biometric-based(e.g. iris, fingerprint) access control [11]. The ultrasonicdistance bounding-based security protocol ensures thatanyone in the IMD’s close proximity can access it in emer-gencies while the biometric-based scheme allows access tothe IMD by matching biometric features. Considering thatthe algorithm of extracting features from iris or fingerprintsis complicated, the biometric-based scheme is not feasiblefor a lightweight IMD. The following two schemes use anexternal device, a jammer-cum-receiver [24] and a gate-way [3], [10] respectively, to do authentication for the IMD;in medical emergencies, doctors can simply turn off or

remover the external security device to gain access tothe IMD. However, the disadvantage of using an externaldevice is that, if this device is broken, lost or forgotten, thewhole security system would fail.

For the H2H scheme [12] in TABLE 2, two ECG BSsare generated by the IMD and the programmer respectivelyfor authentication; however, as described in [12], a securechannel has to be set up using public-key cryptography whichis time and resource consuming for the lightweight IMD andis therefore unrealistic. Compared with the H2H, ourEDE scheme can perform secure communication directlywithout requiring a secure channel to be set up beforehand.The sixth type of schemes in TABLE 2 (PSKA [21] andOPFKA [19]) propose an ECG-based key distributionprotocol for a wireless body area network in which asymmetric key is embedded into the coefficients of apolynomial before transmission; since a high degreepolynomial has to be calculated and reconstructed, this kindof a scheme would consume plenty of resources of thelightweight IMD. Discussions of applying the ECG-basedkey distribution into IMDs could be found in our previouswork [13], [14]. Compared to those schemes, encryption keysin our EDE scheme are directly generated from ECG signals.Thus our scheme does not require a cryptographic infrastruc-ture to support key pre-distribution, storage, revocation andrefreshment. Our EDE scheme even has an ability to resistbrute-force attacks due to inheriting the property of perfectsecrecy from classic OTPs.

In summary, none of the above approaches could provideproper security solutions for IMDs. According to analysisin [23], data harvesting via eavesdropping or other attacks areone of the main concerns of IMD security; therefore we havedesigned the EDE scheme which could provide information-theoretically secure encryption algorithm in practice for theIMD system.

VIII. CONCLUSIONSIn this paper, we have presented an information-theoreticallysecure encryption method for IMDs, namely the ECG-based

834 VOLUME 3, 2015


Data Encryption (EDE). The EDE combines two well-knowntechniques of One-Time Pads and Error Correcting Codes toachieve a cryptographic primitive for IMDs. In emergencies,medical personnel can gain access to patients’ IMDs bymeasuring the patients’ real-time ECG signals whileadversaries cannot do it due to the lack of real-time ECG data;thus the designed EDE scheme achieves the balance of highsecurity and high accessibility (in emergencies).

The EDE scheme uses physiological (ECG) signal-basedOTPs to encrypt secret data from IMDs before transmission.OTP keys are to be generated by each device fromsynchronously measured ECG signals, respectively.As ECG signals are used as natural random input into theencryption algorithm, there is no need of a cryptographicinfrastructure to support key distribution, storage, revocationand refreshment. We analyzed the performance of the schemeby using MIT PhysioBank ECG data, which showed that theEDE is a viable approach to secure IMDs from eavesdropperand active adversaries. The security analysis showedthat the EDE scheme fulfills the requirements of OTP keymanagement, and thus inherits the property of perfect secrecyfrom OTPs. Future work includes a game-based securityproof and an in-field study of the EDE scheme to betterunderstand the properties of the generated ECG BSs andevaluate the performance of the scheme.

REFERENCES[1] C. Li, A. Raghunathan, and N. K. Jha, ‘‘Hijacking an insulin pump:

Security attacks and defenses for a diabetes therapy system,’’ in Proc. 13thIEEE Int. Conf. e-Health Netw. Appl. Services (Healthcom), Jun. 2011,pp. 150–156.

[2] D. Halperin, T. Kohno, T. S. Heydt-Benjamin, K. Fu, and W. H. Maisel,‘‘Security and privacy for implantable medical devices,’’ IEEE PervasiveComput., vol. 7, no. 1, pp. 30–39, Jan./Mar. 2008.

[3] G. Zheng, G. Fang, M. A. Orgun, and R. Shankaran, ‘‘A non-key basedsecurity scheme supporting emergency treatment of wireless implants,’’ inProc. IEEE Int. Conf. Commun. (ICC), Jun. 2014, pp. 647–652.

[4] C.-S. Park, ‘‘Security mechanism based on hospital authentication serverfor secure application of implantable medical devices,’’ BioMed Res. Int.,vol. 2014, Jul. 2014, Art. ID 543051.

[5] J. Astorga, J. C. Astorga, E. Jacob, N. Toledo, and M. Higuero, ‘‘Securingaccess to next generation IP-enabled pacemakers and ICDs using Ladon,’’J. Ambient Intell. Smart Environ., vol. 6, no. 2, pp. 157–177, 2014.

[6] S. Hosseini-Khayat, ‘‘A lightweight security protocol for ultra-low powerASIC implementation for wireless implantable medical devices,’’ inProc. 5th Int. Symp. Med. Inf. Commun. Technol. (ISMICT), Mar. 2011,pp. 6–9.

[7] N. Ellouze, M. Allouche, H. Ben Ahmed, S. Rekhis, and N. Boudriga,‘‘Securing implantable cardiac medical devices: Use of radio frequencyenergy harvesting,’’ in Proc. 3rd Int. Workshop Trustworthy EmbeddedDevices, 2013, pp. 35–42.

[8] D. Halperin et al., ‘‘Pacemakers and implantable cardiac defibrillators:Software radio attacks and zero-power defenses,’’ in Proc. IEEE Symp.Security Privacy, May 2008, pp. 129–142.

[9] C. Strydis, R. M. Seepers, P. Peris-Lopez, D. Siskos, and I. Sourdis,‘‘A system architecture, processor, and communication protocol for secureimplants,’’ ACM Trans. Archit. Code Optim. (TACO), vol. 10, no. 4, 2013,Art. ID 57.

[10] F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li, ‘‘IMDGuard: Securingimplantable medical devices with the external wearable guardian,’’ inProc.IEEE INFOCOM, Apr. 2011, pp. 1862–1870.

[11] X. Hei and X. Du, ‘‘Biometric-based two-level secure access controlfor implantable medical devices during emergencies,’’ in Proc. IEEEINFOCOM, Apr. 2011, pp. 346–350.

[12] M. Rostami, A. Juels, and F. Koushanfar, ‘‘Heart-to-heart (H2H): Authen-tication for implanted medical devices,’’ in Proc. ACM SIGSAC Conf.Comput. Commun. Security (CCS), 2013, pp. 1099–1112.

[13] G. Zheng, G. Fang, R. Shankaran, M. Orgun, and E. Dutkiewicz,‘‘An ECG-based secret data sharing scheme supporting emergencytreatment of implantable medical devices,’’ in Proc. Int. Symp. WirelessPersonal Multimedia Commun. (WPMC), Sep. 2014, pp. 624–628.

[14] G. Zheng, G. Fang, M. A. Orgun, R. Shankaran, and E. Dutkiewicz,‘‘Securing wireless medical implants using an ECG-based secret datasharing scheme,’’ in Proc. 14th Int. Symp. Commun. Inf. Technol. (ISCIT),Sep. 2014, pp. 373–377.

[15] K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Capkun,‘‘Proximity-based access control for implantable medical devices,’’ inProc. 16th ACM Conf. Comput. Commun. Security, 2009, pp. 410–419.

[16] C. E. Shannon, ‘‘Communication theory of secrecy systems,’’ Bell Syst.Tech. J., vol. 28, no. 4, pp. 656–715, 1949.

[17] F.-G. Deng and G. L. Long, ‘‘Secure direct communication with a quantumone-time pad,’’ Phys. Rev. A, vol. 69, no. 5, p. 052319, 2004.

[18] R. Horstmeyer, B. Judkewitz, C. Yang, and I. M. Vellekoop, ‘‘Physical key-protected one time pad,’’ U.S. Patent 2013 0 243 187, Feb. 21, 2013.

[19] C. Hu, X. Cheng, F. Zhang, D. Wu, X. Liao, and D. Chen, ‘‘OPFKA:Secure and efficient ordered-physiological-feature-based key agreementfor wireless body area networks,’’ in Proc. IEEE INFOCOM, Apr. 2013,pp. 2274–2282.

[20] Z. Zhang, H.Wang, A. V. Vasilakos, and H. Fang, ‘‘ECG-cryptography andauthentication in body area networks,’’ IEEE Trans. Inf. Technol. Biomed.,vol. 16, no. 6, pp. 1070–1078, Nov. 2012.

[21] K. K. Venkatasubramanian, A. Banerjee, and S. K. S. Gupta, ‘‘PSKA:Usable and secure key agreement scheme for body area networks,’’ IEEETrans. Inf. Technol. Biomed., vol. 14, no. 1, pp. 60–68, Jan. 2010.

[22] K. K. Venkatasubramanian, A. Banerjee, and S. K. S. Gupta, ‘‘EKG-based key agreement in body sensor networks,’’ in Proc. IEEE INFOCOMWorkshops, Apr. 2008, pp. 1–6.

[23] W. Burleson, S. S. Clark, B. Ransford, and K. Fu, ‘‘Design challenges forsecure implantable medical devices,’’ in Proc. 49th Annu. Design Autom.Conf., Jun. 2012, pp. 12–17.

[24] S. Gollakota, H. Hassanieh, B. Ransford, D. Katabi, and K. Fu, ‘‘Theycan hear your heartbeats: Non-invasive security for implantable medi-cal devices,’’ ACM SIGCOMM Comput. Commun. Rev., vol. 41, no. 4,pp. 2–13, 2011.

[25] J. P. Martínez, R. Almeida, S. Olmos, A. P. Rocha, and P. Laguna,‘‘A wavelet-based ECG delineator: Evaluation on standard databases,’’IEEE Trans. Biomed. Eng., vol. 51, no. 4, pp. 570–581, Apr. 2004.

[26] K. A. Brownley, B. E. Hurwitz, and N. Schneiderman, CardiovascularPsychophysiology. Cambridge, U.K.: Cambridge Univ. Press, 2000.

[27] A. Juels andM. Sudan, ‘‘A fuzzy vault scheme,’’Designs, Codes Cryptogr.,vol. 38, no. 2, pp. 237–257, 2006.

[28] A. Juels and M. Wattenberg, ‘‘A fuzzy commitment scheme,’’ in Proc. 6thACM Conf. Comput. Commun. Security, 1999, pp. 28–36.

[29] Y. Dodis, L. Reyzin, and A. Smith, ‘‘Fuzzy extractors: How to generatestrong keys from biometrics and other noisy data,’’ in Advances in Cryp-tology. Berlin, Germany: Springer-Verlag, 2004, pp. 523–540.

[30] R. C. Bose andD. K. Ray-Chaudhuri, ‘‘On a class of error correcting binarygroup codes,’’ Inf. Control, vol. 3, no. 1, pp. 68–79, 1960.

[31] S.-D. Bao, C. C. Y. Poon, Y.-T. Zhang, and L.-F. Shen, ‘‘Using the timinginformation of heartbeats as an entity identifier to secure body sensornetwork,’’ IEEE Trans. Inf. Technol. Biomed., vol. 12, no. 6, pp. 772–779,Nov. 2008.

[32] J. Eidson and K. Lee, ‘‘IEEE 1588 standard for a precision clock syn-chronization protocol for networked measurement and control systems,’’in Proc. 2nd ISA/IEEE Sensors Ind. Conf., Nov. 2002, pp. 98–105.

[33] A. L. Goldberger et al., ‘‘PhysioBank, physioToolkit, and physioNet:Components of a new research resource for complex physiologic signals,’’Circulation, vol. 101, no. 23, pp. e215–e220, 2000.

[34] A. Taddei et al., ‘‘The European ST-T database: Standard for evaluatingsystems for the analysis of ST-T changes in ambulatory electrocardiogra-phy,’’ Eur. Heart J., vol. 13, no. 9, pp. 1164–1172, 1992.

[35] L. Bassham et al., ‘‘SP 800-22 Rev. 1a. A statistical test suite for randomand pseudorandom number generators for cryptographic applications,’’Nat. Inst. Standards Technol., Gaithersburg, MD, USA, 2010.

[36] A. S. Wander, N. Gura, H. Eberle, V. Gupta, and S. C. Shantz, ‘‘Energyanalysis of public-key cryptography forwireless sensor networks,’’ inProc.3rd IEEE Int. Conf. Pervasive Comput. Commun. (PerCom), Mar. 2005,pp. 324–328.

VOLUME 3, 2015 835


GUANGLOU ZHENG (S’13) received the B.Eng.and M.Eng. degrees in electrical engineeringfrom the Nanjing University of Aeronauticsand Astronautics. He is currently pursuing thePh.D. degree with Macquarie University, Sydney,Australia. He was a Telecommunication SystemResearch and Development Engineer withZTE Corporation. His current research focuses onsecurity issues of wireless body area networks.

GENGFA FANG received the master’s degreein telecommunications from Zhejiang University,in 2002, and the Ph.D. degree in wireless com-munications from the Institute of ComputingTechnology, Chinese Academy of Sciences,in 2007. From 2007 to 2009, he was a Researcherwith the Canberra Research Laboratory, NationalICT Australia (NICTA), and then joined theDepartment of Engineering, Macquarie Univer-sity, where he is currently a Senior Lecturer.

His research has been supported by CSIRO, NICTA, NXP, Zarlink, and Intel.He has authored over 60 papers, and holds five patents in Media AccessControl protocols, cross-layer design, wireless resource management andallocation for 5G, and medical body area networks.

RAJAN SHANKARAN received theM.B.A. degree in management information sys-tems from the Maastricht School of Management,in 1994, and the M.Sc. (Hons.) and Ph.D. degreesin computing from the University of WesternSydney, in 1999 and 2003, respectively. He wasa Lecturer with the University of Western Sydney.He is currently a Senior Lecturer with MacquarieUniversity, Sydney, Australia. He mainly works inthe areas of network security and trust in mobile

networks. His research interests include cognitive radio networks, medicalbody area networks, Internet Protocol-based mobile networks, and contentcentric networks. He has served as the Program Co-Chair and a ProgramCommittee Member of a number of conferences in computer networkingand security.

MEHMET A. ORGUN (SM’96) received theB.Sc. and M.Sc. degrees in computer science andengineering from Hacettepe University, Ankara,Turkey, in 1982 and 1985, respectively, and thePh.D. degree in computer science from theUniversity of Victoria, Canada, in 1991. He iscurrently a Professor with the Department ofComputing, Macquarie University, Sydney. Hisresearch interests include knowledge discovery,multiagent systems, trusted systems, and tempo-

ral reasoning. His professional service includes editorial and review boardmemberships of several leading journals and program committees, and seniorprogram committee memberships of numerous national and internationalconferences. Recently, he was the Program Co-Chair of the 14th Pacific-RimInternational Conference on Artificial Intelligence in 2010, and the Confer-ence Co-Chair of the 7th and 8th International Conferences on Security ofInformation and Networks in 2014 and 2015.

836 VOLUME 3, 2015

Encryption for Implantable Medical Devices Using Modified ...

Documents

Transcript of Encryption for Implantable Medical Devices Using Modified ...